Automatically create an account record from information in a received email

11 posts by 2 authors in: Forums > CMS Builder
Last Post: February 15, 2016   (RSS)

By gkornbluth - February 8, 2016 - edited: February 8, 2016

Hi All,

I’m setting up a member participation request form on a client’s site (i.e. fields for the prospective member’s first name, last name, email, etc.) , and have the form send an email to the site admin with that information embedded in the body of the email.

(I don't want prospective members to be able to create a database record directly for security concerns)

I'm guessing that I can use the email templates to get that part done.

Where I’m stuck on is how the email can used by the admin to automatically create an account record without having to cut and paste the field information.

Any thoughts?

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By gregThomas - February 8, 2016

Hi Jerry, 

What about including a link in the email that will go to the create a new record page for your website membership accounts section, and fills out the fields with the details of the user. Then the admin just has to check the details are correct and press save.

For example, if you had a section called members, and you want to create a new record, and fill the field username with the value test and the field email with test@example.com, the following link would work:

http://test.net/cmsb/admin.php?menu=members&action=add&username=test&email=test%40example.com

Here is a breakdown of each variable in the url:

menu=members - Tells the CMS to go to the members section

action=add - Tells the CMS to create a new record.

username=test - Set the username value to test.

email= test%40example.com - Set the email field to test@example.com (%40 is the url encoded @ charecter).

So you can add the data required for each field in the url, and it will appear in the appropriate field when the link is clicked. 

Let me know if you have any questions. 

Cheers,

Greg

Greg Thomas







PHP Programmer - interactivetools.com

By gkornbluth - February 8, 2016

Hi Greg,

Good to hear from you (and so quickly too...)

What started this quest, is the assumption that allowing an unknown person to fill out a web form and directly create a record in a database is a potentially big security breach.

I guess I don't quite understand your suggestion to "include a link in the email " part, without the sender being able to see (and potentially hack) the code, and have no idea how to implement the automatic functionality in steps 3, 4 or the "automatically pulled" part of 5 below.

Here's a hopefully clearer outline of the process.

1) A number of prospective members submit a sign up form on the web site requesting to listed in a free on-line "services available" directory.

2) Each submission sends an email to the admin with the form results.(no database records are created as yet)

3) At intervals, the admin manually culls through the emails, decides which ones are valid and  deletes the bogus ones

4) (At this point the information in the valid emails need to somehow be made  accessible to CMSB)

5) The appropriate  information is automatically pulled from the new, valid emails, and account records are created for each with a generic password and an approved box checked..

6) The emailOnApproved plugin would send an email to those accepted members with their log in information.

7) Since all accepted members received he same generic password, they would be required to change their password on first login. (I've already done steps 6 and 7 before)

Thanks,

Jerry Kornbluth

.

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By gregThomas - February 8, 2016

Hi Jerry,

What started this quest, is the assumption that allowing an unknown person to fill out a web form and directly create a record in a database is a potentially big security breach.

Although allowing a user to create a database record is a security risk, there are several things you can do that will drastically reduce it. For example:

  • Ensuring you escape all data before adding it into the database
  • Ensuring you HTML encode all values before displaying it on the page. 
  • You could make sure the data entered by users doesn't appear on  the site until it has been verified by as site admin.
  • Ensure that users can only enter what is required into a field were possible. For example if you had an age field, only allow numeric characters. 

I guess I don't quite understand your suggestion to "include a link in the email " part, without the sender being able to see (and potentially hack) the code, and have no idea how to implement the automatic functionality in steps 3, 4 or the "automatically pulled" part of 5 below.

To clarify: when a site visitor fills out their details in the form on the site saying they want to be in the services available section, an email is sent to the site admin saying the form has been used, it will contain the users details. In that email you could include a link like the one in my previous message. Clicking this link would fill out the user's details in the 'create a record' form in the CMS in the services available section. The site admin would then check over those details and save the record if everything is OK.

Another option would be to put the users details into the services available section when the user fills out the form, but mark the record as hidden so it doesn't show on the front end of the site until the admin has checked over the details in the CMS, if everything is OK, they can unhide the record and it will display on the front end of the site. This would be a much simpler method to integrate. 

Let me know if you have any questions. 

Cheers,

Greg

Greg Thomas







PHP Programmer - interactivetools.com

By gregThomas - February 8, 2016

Hey Jerry,

Can you suggest any specific code for limiting the character input in say, a name field that should have only alphabetical characters and spaces?  I'll work through the rest based on that model.

There are a lot of times when users need to enter non alphanumeric symbols into the name field, for example the names O'hare or BjÖrn. So it's best to filter out certain characters that defiantely can't be in names, you can use preg_match to check if the certain characters are present:

  if(preg_match("/[?!\"\[\]<>\(\).]/", $nameField)){
    echo "String matched";
  }else{
    echo 'no match found';
  }

So the above code checks if the characters ?, !, ", [, ], <, >, (, ), and . are present in $nameField variable. If they are, "String matched will be shown. There shouldn't be any names that have those characters in, so you could set an error at this point. 

Cheers,

Greg

Greg Thomas







PHP Programmer - interactivetools.com

By gkornbluth - February 8, 2016

Thanks Greg.

I'll post my finished code as soon as it's done

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By gkornbluth - February 11, 2016

Hi Greg,

I've attached the viewer that I created and hope you'll get a moment to look at it from a security perspective.

Also, the body of the email template that I'm using is below.

I can't seem to get the code in the link right to set the updatedDate field to the same time that the record was created, and hope you can offer some guidance.

Thank you,

Jerry Kornbluth.

#contact.firstName# #contact.lastName# has submitted a directory listing request for #practice#.

After you've determined that the request is from a valid DBT provider, AND THAT THE PROVIDER IS NOT ALREADY LISTED IN THE DIRECTORY, click on the link below to create a listing in the directory


NOTE: You'll have to un-hide their listing after they've updated their profile, or it will not be available in the directory..


http://dbtproviders.com/cmsAdmin/admin.php?menu=accounts&action=add&username=#contact.username#&email=#contact.email#&password=2xyz3&hidden=1&contact_first_name=#contact.firstName#&contact_last_name=#contact.lastName#&practice_name=#practice#&approved=1

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By gregThomas - February 11, 2016

Hey Jerry, 

Assuming you've validated the values entered by the user before it gets passed to the template (for example, by checking the email address is a valid structure), the code in the previous post looks good. 

I can't seem to get the code in the link right to set the updatedDate field to the same time that the record was created, and hope you can offer some guidance.

I've done some local testing, and if you don't pass any value in the URL for the createdDate or updatedDate, I think they should automatically be set to the current date and time.

Cheers,

Greg

Greg Thomas







PHP Programmer - interactivetools.com

By gkornbluth - February 11, 2016 - edited: February 11, 2016

Thanks Greg,

Silly me...

I actually meant the lastLoginDate field.

I guess I can use the updatedDate just as well, and since it does auto update,  it will work to determine if a mandatory profile update is required (if a provider has not updated their profile in 6 months).

I think I have all of the security bases covered as well.

Thanks again for all your help

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php